From: WyoFlippa <wyoflippa@gmail.com>
To: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
Cc: kernelnewbies@kernelnewbies.org
Subject: Re: Kernel drivers and IOCTLs
Date: Tue, 4 Feb 2020 20:57:24 -0600 [thread overview]
Message-ID: <dd126362-b9bb-7c89-24b1-42ccb04cc430@gmail.com> (raw)
In-Reply-To: <44531.1579798166@turing-police>
Hi Valdis,
On 1/23/2020 10:49 AM, Valdis Klētnieks wrote:
> On Tue, 21 Jan 2020 22:27:01 -0600, WyoFlippa said:
>
>> I'm working on a driver that would verify a Linux or U-Boot image is
>> secure and I need to pass parameters such as the public key, starting
>> address, etc.
> This is actually a lot harder to do properly than it looks, especially if
> you're trying to export the information to userspace - a compromised kernel can
> simply hijack your ioctl or /proc or /sys file and output that it's not
> compromised. You can't even easily use public/private keys to sign the
> statement it's not compromised, because if the legit kernel has access to the
> public key, the compromised code probably does too.....
>
> And if you're defending against sufficiently well-financed attackers, it may
> even be difficult for a driver to verify the rest of the kernel isn't
> compromised. As a fairly obvious attack, consider a kernel with 2 sets of page
> table mappings. First, a set that contains the original kernel code and is
> mapped in when your driver is executing, and then the *real* set that maps in
> other physical pages containing the skullduggery code, which gets mapped in
> when there's something evil being done....
>
> So what *actual* problem are you trying to solve by using a driver to verify
> the image is "secure" (which needs further definition, but you probably already
> knew that if your skill level is up to doing this right...)? In particular, what are
> you trying to do that various secure boot schemes don't address?
Thank you for the response and sorry for the delay in replying.
I'm actually happy with the existing boot schemes. In this case, the
driver is going to validate a signed image (U-Boot or Linux) before it
is programmed into the flash memory. Although the image is validated
when booting, it is one additional check to avoid surprises.
Since Linux is validated, the driver should be trusted but you make a
good point about the application accessing the driver in userspace. In
addition to that problem, I'm wrestling with the method of getting the
image to the driver. It looks like reading a file from the kernel is
frowned upon except in the firmware case which is special. So I'll need
to think about that some more.
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next prev parent reply other threads:[~2020-02-05 2:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 4:27 Kernel drivers and IOCTLs WyoFlippa
2020-01-22 19:04 ` Greg KH
2020-01-23 16:49 ` Valdis Klētnieks
2020-02-05 2:57 ` WyoFlippa [this message]
2020-02-05 4:01 ` Valdis Klētnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd126362-b9bb-7c89-24b1-42ccb04cc430@gmail.com \
--to=wyoflippa@gmail.com \
--cc=kernelnewbies@kernelnewbies.org \
--cc=valdis.kletnieks@vt.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).